Hacker group that hit Twitter, Facebook, Apple and Microsoft intensifies attacks

The group has been stealing confidential information from large companies worldwide for the past three years

The hackers that targeted Twitter, Facebook, Apple and Microsoft developers two years ago have escalated their economic espionage efforts as they seek confidential business information and intellectual property they can profit from.

The group, which security researchers from Kaspersky Lab and Symantec call Wild Neutron or Morpho, has broken into the networks of over 45 large companies since 2012.

After the 2013 attacks against Twitter, Facebook, Apple and Microsoft were highly publicized, the group went underground and temporarily halted its activity. However, its attacks resumed in 2014 and have since intensified, according to separate reports released Wednesday by Kaspersky Lab and Symantec.

Symantec has identified 49 different organizations in over 20 countries that have fallen victim to the Morpho group since 2012. The majority of them were from the technology, pharmaceutical, commodities and legal sectors and were based in the U.S., Canada or Europe.

Kaspersky identified additional companies compromised by the group that are involved in Bitcoin cryptocurrency, investments, healthcare, real estate, merger and acquisition deals, as well as individual users.

The absence of government or diplomatic corps victims and other details led researchers from the two security vendors to the conclusion that the Morpho group is most likely not sponsored by a nation state. Instead, it's probably a highly sophisticated cybercrime gang that knows how to exploit the business information it obtains for financial gain, for example by selling it to the highest bidder or by profiting from it on the financial markets.

The group has used at least two zero-day exploits so far, one for Flash Player and one for Java, and also had access to a digital certificate stolen from Taiwanese electronics manufacturer Acer that it used to sign its malware programs. This suggests that the attackers have access to high-value intrusion tools and techniques.

When it targeted developers from technology and Internet companies in 2013 the group launched its attack from a compromised iOS development forum using a Java zero-day exploit. This technique of compromising a website that's visited by multiple intended targets is called a watering hole attack.

That same year the Morpho group used the same method with multiple discussion forums, including expatforum.com, forum.samdroid.net, emiratesmac,com, mygsmindia.com, and a Jihadist discussion board that's now closed, researchers from Kaspersky said in a blog post. The attack vector for the 2014 and 2015 attacks is not yet known, but there are clear indications that a Web-based exploit kit with a zero-day Flash Player exploit was used, they said.

If successful, these Web-based exploits install a custom computer backdoor developed by the group that has versions for Windows and Mac OS X. The attackers then use additional custom hacking tools to move laterally through the network and compromise additional computers, servers and other devices.

According to Symantec's researchers, the Morpho attackers often target regional offices of their intended victims and then move through their internal networks to access their additional locations and headquarters.

The attackers appear to be well informed about the companies they attack and the information they're searching for.

"In many attacks, the group has succeeded in compromising Microsoft Exchange or Lotus Domino email servers in order to intercept company emails and, possibly use them to send counterfeit emails," the Symantec researchers said in a blog post. "The group has also attacked enterprise content management systems, which would often be home to legal and policy documents, financial records, product descriptions and training documents."

In one case, the attackers compromised a Physical Security Information Management (PSIM) system, gaining access to door locks and CCTV camera feeds.

It's not clear where the group is based. According to Symantec, some, if not all of the group's members are fluent in English, which is evident from the malware's code. However, Kaspersky also found one string in Romanian and one in Russian in the command-and-control procedures.

Peaks of activity were observed on the malware's command-and-control servers that correspond with U.S. typical working hours. This could mean that some attackers are based in the U.S., but could also be because the majority of victims are from the U.S. and Canada, forcing attackers to work during that time interval.

"Morpho is a disciplined, technically capable group with a high level of operational security," the Symantec researchers said. "Having managed to increase its level of activity over the past three years whilst maintaining a low profile, the group poses a threat that ought to be taken seriously by corporations."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Microsoftsecuritydata breachtwitterExploits / vulnerabilitiesmalwarekaspersky labFacebookAppleintrusionsymantec

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?